The Second Line of Defense

What is the mysterious “second line of cyber defense” in an organization? What is its purpose and why are so many regulated institutions—from financial services to insurance to healthcare and still others—working to implement such a group? What are the benefits, what is the ROI and does it really pay off? Is it truly defending or protecting against something? At the end of the day, how should it operate and how does it help?

Over the years I’ve worked in both 1st (IT and IS operations) and 2nd lines of defense (Enterprise/Ops risk), and indirectly with the 3rd (Audit and Compliance) for financial, insurance and other institutions. I’ve been an IT network manager, a risk manager and a CISO; and during the past year and a half, I’ve been a security consultant, working in all three lines for large and midsized organizations. I’ve worked with many different roles including CIOs, CISOs, auditors, compliance officers, EROs, OROs, CTOs, COOs, CEOs and even directors; all with differing priorities, strategies, goals and objectives. Some of the institutions have had 2nd lines of defense and some have not. Given everything I’ve experienced, I understand that the 2nd LOD cyber RM group is much more than just a go-between or a “spot check” of the 1st LOD’s policies, standards and procedures, necessary for a successful audit. Or, at least it should be—if implemented correctly and supported from the top. But unfortunately, design challenges often hinder the value and overall stigma of this important group.

The 2nd LOD, usually a division of Enterprise Risk Management (ERM), should be designed and tasked with providing real value above and beyond what the regulators advise; a trusted partner and advocate of the 1st line. But that is not always the case. If you’ve implemented a 2nd LOD cyber security risk management group and your Chief Information Security Officer (CISO) reports to the COO or CIO without proper independence and oversight, you’re probably beginning to figure this out. If you’re like some organizations who hastily implemented a 2nd line cyber RM function in response to an audit finding, MRA or MRIA; or thought you should implement one because everyone else is doing it; or are contemplating formulating one; I hope to provide some thoughts and guidance on proper design based on my experience to ensure value and effectiveness.

What is the regulatory definition? The OCC states that the 2nd LOD is to provide “guidance and oversight” to the 1st LOD. Here is the OCC’s full definition from the Comptrollers Handbook, Corporate and Risk Governance, (July 2016, https://www2.occ.gov/publications/publications-by-type/comptrollers-handbook/corporate-risk-governance/pub-ch-crg.pdf):

"The second line of defense is commonly referred to as IRM [Independent Risk Management], which oversees risk taking and assesses risks independent of the frontline units, business units, or functions that create risk. IRM complements the frontline unit’s risk-taking activities through its monitoring and reporting responsibilities, including compliance with the bank’s risk appetite. IRM also provides input into key risk decisions. Additionally, IRM is responsible for identifying, measuring, monitoring, and controlling aggregate and emerging risks enterprise-wide. In some banks, the second line of defense is less formal and includes such functions and roles as loan review, a chief compliance officer, or a chief credit officer."

Although it is not transparent, the OCC does provide hints for key ingredients of a successful 2nd LOD cyber RM function. For starters, they call for independence and a unit which compliments the 1st line’s activities. Both elements are especially essential for cyber security and especially in those institutions where the 1st line IS reports to the CIO/IT. Why? Because cyber security RM provides a means to overrule potential conflicts of interest. 2nd LOD cyber RM should be incentivized by the indirect reduction of risk by identifying and calling out results due to potential expense-based decisions to stall the implementation of security controls. Security is an expense, which may delay product delivery, and the 2nd LOD—independently complimenting the 1st line’s reporting activities—can help to tip the scales appropriately where risk outweighs tolerance. Ultimately, the 2nd LOD cyber RM leader and team will provide enhanced balance.

But who, or what type of individual can provide this 2nd LOD cyber RM support? Unfortunately, the OCC fails to mention any requirement for a cyber security risk management officer or related manager within the 2nd LOD. If you’ve been in information or cyber security management for at least a year, you’ll realize that compliance isn’t enough; institutions must consider their own risk based on their business and tailoring controls appropriately. Having someone specialized in “cyber” within the 2nd LOD RM group will help to meet this objective. Preferably, the individual/team should have risk management experience and education with an individual coming from the 1st LOD IT/IS with in-depth technical knowledge of security risks, threats and appropriate controls. The individual should understand the top-down management style of your institution and what the board/directors/executives want from a reporting perspective—or be able to educate the top on what they should be getting. The leader of this group needs to be relationship-driven and a true respected partner with the 1st LOD senior and middle-management; able to understand and articulate issues without blame or finger-pointing. In my opinion, former CISOs are great candidates for this role as they typically have all the proper ingredients. With the right leader and team, the 2nd LOD can be a true value to the 1st.

Once you have the right team, what are they to do? Besides understanding the business and the business’s risk tolerance and appetite, they should immediately start building relationships. The first and foremost meetings should be with the CISO and his/her direct reports. Next, with the rest of the CxOs. Meet also with the other key 1st line business units, product and service managers. And finally, meet with Audit and Compliance. Probe to identify their challenges, complexities, priorities (personal and professional) and business drivers. Identify all currently-utilized IT and IS policies, standards and frameworks, how/how often these are updated and by whom. Understand existing issues, findings and program-level assessment results. Setup regular one-on-ones with the CISO and directs, to get coffee and just chat as these relationships will be the most valuable in the long-term. 2nd LOD will also need to be embedded in any business/product/service change, IT/IS incident meetings and policy/standard meetings to further understand evolution of the business and any risk and control decisions. Of course, the team will also be invited to many other meetings to include IT/IS steering, risk committees and the like. The 2nd line also needs to understand the current risk assessment methodologies and processes across the organization and to ensure alignment between inherent and residual risk in a CIA (confidentiality, integrity and availability) perspective, as well as all the cyber security reporting, from the bottom-up. Identify who is getting which reports and what they contain. At the end of the day, all IT/IS reports should be enhanced to properly align with the audience’s needs and risk appetite/tolerance policy and all enhancements should be blessed first by the appropriate IT/IS management (i.e., no surprises).

Clearly there will be many things for the 2nd LOD cyber RM function to do; however, as it may be small and underfunded, it will also need to prioritize. Such prioritization must be completely aligned with the CISO, with your own 2nd LOD management and with the 3rd (Audit) to be successful. Priority will likely be given to the key issues (IT, IS incidents), internal/3rd party risk assessment methodology enhancements and reporting. And if resources are available, priority can be expanded to include other areas such as business continuity/disaster recovery management, mergers/acquisitions, SDLC processes, big data analytics and even IT infrastructure. If it falls within CIA, it should be considered a likely suspect.

For those of you working for banks in a newly-formed 2nd LOD, responsible for further developing the cyber security risk management program, you should work to align it with NIST or ISO and ensure interoperation with existing processes. Hopefully you will have clear delineation between the 1st and 2nd lines of defense. If your CISO is reporting to the CIO, you may realize some challenges and opportunities as the security organization may have challenges meeting inherent goals (appropriately securing the environment) due to conflicting priorities. Like many organizations with this reporting structure, priorities of speed and delivery may be sometimes greater than those of security, and this will likely be evident from the numbers of outstanding unpatched vulnerabilities, end-of-life/end-of-support issues and various delivery “mishaps” occurring in IT. You will likely find that the CISO needs an advocate and partner outside of his reporting channel; someone to articulate the IT security risks and ensure an adequate and balanced focus is given over and above objectives of rapid product delivery and performance. And, you should strive to be this advocate. Ensure the 1st LOD IT and IS organizations don't consider the 2nd to be a waste of time, duplicative or an overall useless hindrance. 

In the beginning, you may need to beg for invitations to IT/IS meetings. If you do get to attend, you might find that issues are generally not discussed, IS management attitude might be low and they may often express how they can never get ahead of the issues. But in time, over the course of a year or two, if you are doing things right, you will find that your team will develop exactly what is necessary for the CISO’s success: a true and trusted partnership and an advocate. You will ultimately accomplish this through many group and one-on-one meetings with the CISO’s team; listening to issues and challenges, understanding conflicts, capturing and reporting security metrics that matter, and recommending controls and process improvements better aligned with security objectives and standards. Ultimately, you will provide the CISO with an independent channel to identify and meet necessary objectives without significantly compromising IT performance goals. And after that time, you will be more actively invited to nearly all IT and IS strategy and architecture/business change discussions; be involved in the processes from the get-go, to recognize challenges throughout implementation and to help to prioritize security appropriately throughout the product lifecycle. Because of your work and partnership, you will provide the CISO and management with appropriate tactical data and enhance the CISO’s control. Vulnerabilities and end-of-support issues should be more adequately identified and addressed; security leadership and management attitude will improve due to your collaboration. 

To summarize, in my opinion, the 2nd LOD cyber RM function’s purpose is to be a partner with security, to help security meet its board and customer-driven objectives of securing information and assets. It is to provide balance in an organization where such may be misaligned due to non-security objectives. And, any organization seeking to protect information and other assets from cyber threats should seriously consider implementing such a group, no matter the institution’s business objectives, sector, size or regulatory requirements. I think the benefits will clearly outweigh the expense, and given the right leadership, the 2nd LOD cyber RM function will truly pay off.